CVE-2020-15811

Name of the Vulnerable Software and Affected Versions: Squid versions prior to 4.13 Squid versions 5.x prior to 5.0.4

Description: An issue was discovered due to incorrect data validation, allowing HTTP Request Splitting attacks to succeed against HTTP and HTTPS traffic. This leads to cache poisoning, enabling any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. The issue arises because Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding, allowing an attacker to hide a second request inside Transfer-Encoding. This is interpreted by Squid as chunked and split out into a second request delivered upstream, resulting in Squid delivering two distinct responses to the client and corrupting any downstream caches. The vulnerability is also related to the lack of processing of CRLF sequences in HTTP headers.

Recommendations: For Squid versions prior to 4.13, update to version 4.13 or later. For Squid versions 5.x prior to 5.0.4, update to version 5.0.4 or later. As a temporary workaround, consider restricting access to the Transfer-Encoding header to minimize the risk of exploitation.